In this article

Create, change, or delete a network security group

04/05/2018

13 minutes to read

Contributors

In this article

Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. If you're not familiar with network security groups, see Network security group overview to learn more about them and complete the Filter network traffic tutorial to gain some experience with network security groups.

Before you begin

Complete the following tasks before completing steps in any section of this article:

If using PowerShell commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running PowerShell from your computer. The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. This tutorial requires the Azure PowerShell module version 5.4.1 or later. Run Get-Module -ListAvailable AzureRM to find the installed version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run Connect-AzureRmAccount to create a connection with Azure.

If using Azure Command-line interface (CLI) commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running the CLI from your computer. This tutorial requires the Azure CLI version 2.0.28 or later. Run az --version to find the installed version. If you need to install or upgrade, see Install Azure CLI. If you are running the Azure CLI locally, you also need to run az login to create a connection with Azure.

View all network security groups

In the search box at the top of the portal, enter network security groups. When network security groups appear in the search results, select it. The network security groups that exist in your subscription are listed.

View details of a network security group

In the search box at the top of the portal, enter network security groups. When network security groups appear in the search results, select it.

Select the network security group in the list that you want to view details for. Under SETTINGS you can view the Inbound security rules and Outbound security rules, the Network interfaces and Subnets the network security group is associated to. You can also enable or disable Diagnostic logs and view Effective security rules. To learn more, see Diagnostic logs and View effective security rules.

To learn more about the common Azure settings listed, see the following articles:

Delete a network security group

If a network security group is associated to any subnets or network interfaces, it cannot be deleted. Dissociate a network security group from all subnets and network interfaces before attempting to delete it.

In the search box at the top of the portal, enter network security groups in the search box. When network security groups appear in the search results, select it.

Work with security rules

Create a security rule

There is a limit to how many rules per network security group can create per Azure location and subscription. For details, see Azure limits.

In the search box at the top of the portal, enter network security groups in the search box. When network security groups appear in the search results, select it.

Select the network security group from the list that you want to add a security rule to.

Select Inbound security rules under SETTINGS. Several existing rules are listed. Some of the rules you may not have added. When a network security group is created, several default security rules are created in it. To learn more, see default security rules. You can't delete default security rules, but you can override them with rules that have a higher priority.

Select + Add. Select or add values for the following settings and then select OK:

Setting

Value

Details

Source

Select Any, Application security group, IP Addresses, or Service Tag for inbound security rules. If you're creating an outbound security rule, the options are the same as options listed for Destination.

If you select Application security group, then select one or more existing application security groups that exist in the same region as the network interface. Learn how to create an application security group. If you select Application security group for both the Source and Destination, the network interfaces within both application security groups must be in the same virtual network. If you select IP Addresses, then specify Source IP addresses/CIDR ranges. You can specify a single value or comma-separated list of multiple values. An example of multiple values is 10.0.0.0/16, 192.188.1.1. There are limits to the number of values you can specify. See Azure limits for details. If you select Service Tag, then select one service tag. A service tag is a predefined identifier for a category of IP addresses. To learn more about available service tags, and what each tag represents, see Service tags. If the IP address you specify is assigned to an Azure virtual machine, ensure that you specify the private IP, not the public IP address assigned to the virtual machine. Security rules are processed after Azure translates the public IP address to a private IP address for inbound security rules, and before Azure translates a private IP address to a public IP address for outbound rules. To learn more about public and private IP addresses in Azure, see IP address types.

Source port ranges

Specify a single port, such as 80, a range of ports, such as 1024-65535, or a comma-separated list of single ports and/or port ranges, such as 80, 1024-65535. Enter an asterisk to allow traffic on any port.

The ports and ranges specify which ports traffic is allowed or denied by the rule. There are limits to the number of ports you can specify. See Azure limits for details.

Destination

Select Any, Application security group, IP addresses, or Virtual Network for inbound security rules. If you're creating an outbound security rule, the options are the same as options listed for Source.

If you select Application security group you must then select one or more existing application security groups that exist in the same region as the network interface. Learn how to create an application security group. If you select Application security group, then select one existing application security group that exists in the same region as the network interface. If you select IP addresses, then specify Destination IP addresses/CIDR ranges. Similar to Source and Source IP addresses/CIDR ranges, you can specify a single, or multiple addresses or ranges, and there are limits to the number you can specify. Selecting Virtual network, which is a service tag, means that traffic is allowed to all IP addresses within the address space of the virtual network. If the IP address you specify is assigned to an Azure virtual machine, ensure that you specify the private IP, not the public IP address assigned to the virtual machine. Security rules are processed after Azure translates the public IP address to a private IP address for inbound security rules, and before Azure translates a private IP address to a public IP address for outbound rules. To learn more about public and private IP addresses in Azure, see IP address types.

Destination port ranges

Specify a single value, or comma-separated list of values.

Similar to Source port ranges, you can specify a single, or multiple ports and ranges, and there are limits to the number you can specify.

Protocol

Select Any, TCP, or UDP.

Action

Select Allow or Deny.

Priority

Enter a value between 100-4096 that is unique for all security rules within the network security group.

Rules are processed in priority order. The lower the number, the higher the priority. It's recommended that you leave a gap between priority numbers when creating rules, such as 100, 200, 300. Leaving gaps makes it easier to add rules in the future that you may need to make higher or lower than existing rules.

Name

A unique name for the rule within the network security group.

The name can be up to 80 characters. It must begin with a letter or number, end with a letter, number, or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.

Create an application security group

Select + Create a resource on the upper, left corner of the Azure portal.

In the Search the Marketplace box, enter Application security group. When Application security group appears in the search results, select it, select Application security group again under Everything, and then select Create.

Permissions

To perform tasks on network security groups, security rules, and application security groups, your account must be assigned to the network contributor role or to a custom role that is assigned the appropriate permissions listed in the following tables: